b"                                     UNITED STATES DEPARTMENT OF EDUCATION\n                                                          OFFICE OF INSPECTOR GENERAL\n\n                                                                                              Evaluation and Inspection Services\n\n                                                                                                            May 5, 2009\nMemorandum\nTO:                  James Manning\n                     Acting Chief Operating Officer\n                     Federal Student Aid\n\nFROM:                Wanda A. Scott /s/\n                     Assistant Inspector General\n                     Evaluation, Inspection, and Management Services\n\nSUBJECT:             Final Management Information Report\n                     Review of Federal Student Aid\xe2\x80\x99s Enterprise Risk Management Program (ED-\n                     OIG/I13I0005)\n\nThis final management information report presents the results of our review of Federal Student\nAid\xe2\x80\x99s (FSA) Enterprise Risk Management Program and FSA\xe2\x80\x99s response to those results.\n\n\n\n                                                      BACKGROUND\n\n\nIn May 2006, FSA formally created the Enterprise Risk Management Group (ERMG). The\nERMG is divided into two main areas: the Internal Review Division and the Risk Analysis and\nReporting Division. The Internal Review Division is responsible for helping to ensure that an\neffective internal control framework is in place across the enterprise; however, it does not have\nany responsibilities related to the implementation of enterprise risk management. The Risk\nAnalysis and Reporting Division is responsible for developing an enterprise risk management\nstrategy and implementing an enterprise risk management program at FSA.\n\nThe ERMG is headed by the Chief Risk Officer who reports to the General Manager of\nEnterprise Performance Management Services. According to FSA\xe2\x80\x99s Five-Year Plan for 2006-\n2010, the enterprise risk management function was intended to develop risk assessments and\nprovide a more strategic view of future risks, and was designed to better equip senior\nmanagement to anticipate, analyze, and manage risks inherent in the federal student financial\nassistance programs.\n\nFSA\xe2\x80\x99s enterprise risk management program is based on the Enterprise Risk Management \xe2\x80\x93\nIntegrated Framework issued by the Committee of Sponsoring Organizations of the Treadway\nCommission (COSO Framework). The COSO Framework defines enterprise risk management\nas a \xe2\x80\x9cprocess, effected by an entity\xe2\x80\x99s board of directors, management and other personnel,\napplied in strategy setting and across the enterprise, designed to identify potential events that\n\n The Department of Education's mission is to promote student achievement and preparation for global competitiveness by fostering educational\n                                                   excellence and ensuring equal access.\n\x0cmay affect the entity, and manage risk to be within its risk appetite, to provide reasonable\nassurance regarding the achievement of entity objectives.\xe2\x80\x9d\n\nThe COSO Framework consists of eight interrelated components that are derived from the way\nmanagement runs an enterprise and are integrated with the management process. The\ncomponents are described as follows:\n\n    \xe2\x80\xa2    Internal Environment \xe2\x80\x93 this component serves as the basis for enterprise risk\n         management and is comprised of the entity\xe2\x80\x99s risk management philosophy; its risk\n         appetite; 1 the integrity, ethical values, and competence of the entity\xe2\x80\x99s employees; and the\n         environment in which those employees operate.\n    \xe2\x80\xa2    Objective Setting \xe2\x80\x93 the entity ensures it has a process to set objectives and that the\n         objectives support and are aligned with the entity\xe2\x80\x99s mission. Objective Setting is a\n         precondition to Event Identification, Risk Assessment, and Risk Response.\n    \xe2\x80\xa2    Event Identification \xe2\x80\x93 the entity identifies internal and external events affecting the\n         achievement of its objectives, and distinguishes between risks (negative impact) and\n         opportunities (positive impact).\n    \xe2\x80\xa2    Risk Assessment \xe2\x80\x93 the entity analyzes identified risks, considering likelihood and impact,\n         to determine how they should be managed. 2\n    \xe2\x80\xa2    Risk Response \xe2\x80\x93 the entity identifies and evaluates possible responses to risk, and selects\n         a set of actions to align risks with the entity\xe2\x80\x99s risk tolerances 3 and risk appetite.\n    \xe2\x80\xa2    Control Activities \xe2\x80\x93 the entity establishes and executes policies and procedures to help\n         ensure that the risk responses are effectively carried out.\n    \xe2\x80\xa2    Information and Communication \xe2\x80\x93 the entity identifies, captures, and communicates\n         relevant information throughout the entity in a clear form and timeframe that enables\n         people to carry out their responsibilities.\n    \xe2\x80\xa2    Monitoring \xe2\x80\x93 the entire entity monitors itself through ongoing management activities\n         and/or separate evaluations.\n\nAccording to the ERMG, enterprise risk management at FSA is \xe2\x80\x9ca coordinated, culture-based\napproach to holistically addressing all of an organization\xe2\x80\x99s risks \xe2\x80\x93 including operational,\nfinancial, strategic, compliance and reputational risks under one umbrella.\xe2\x80\x9d\n\nThe ERMG is implementing its COSO Framework-based enterprise risk management program in\nthree phases.\n\n\n\n\n1\n  Risk appetite is defined as the amount of risk an entity is willing to accept in pursuit of its mission.\n2\n  Risks within the COSO Framework are discussed in terms of inherent risk and residual risk. Inherent risk is\ndefined by the COSO Framework as the risk to an entity in the absence of any actions management might take to\nalter the risk\xe2\x80\x99s likelihood or impact. The ERMG uses a similar term, aggregate risk, which it defines as the total\namount of exposure associated with a specified risk that does not include the effect of risk strategies, controls or\nother measures designed to mitigate the effect of the specified risk. Residual risk is defined by the COSO\nFramework and the ERMG as the risk that remains after action has been taken to alter the risk\xe2\x80\x99s likelihood or\nimpact.\n3\n  Risk tolerances are defined by the COSO Framework as the acceptable levels of variation relative to the\nachievement of objectives. In other words, it is the amount of variation that an entity is willing to accept in pursuit\nof its goals and objectives.\n\n\n                                                         2\n\x0c   \xe2\x80\xa2   Phase I involves establishing the ERMG and committee, developing a strategy and\n       methodology for implementation, obtaining contractor services, and communicating\n       enterprise risk management information to FSA\xe2\x80\x99s executives.\n   \xe2\x80\xa2   Phase II consists of formalizing the enterprise risk management strategy and project plan,\n       adopting a risk framework, developing an enterprise risk management website,\n       conducting a high-level risk assessment at FSA, developing a methodology for\n       performing business unit risk assessments, developing a risk tracking system, and\n       identifying, assessing, and inventorying risks for 25 percent of FSA\xe2\x80\x99s business units.\n       These activities focus on the Event Identification and Risk Assessment components of the\n       COSO Framework.\n   \xe2\x80\xa2   Phase III involves identifying, assessing, and inventorying risks for the remaining 75\n       percent of the business units, creating enterprise level reports for senior management,\n       documenting FSA\xe2\x80\x99s risk tolerances and appetites, and developing a methodology for fully\n       implementing the remaining enterprise risk management components.\n\nThe ERMG\xe2\x80\x99s project plan indicates that all phases will be complete by September 30, 2010.\n\n\n\n                                   REVIEW RESULTS\n\n\nThe objective of our inspection was to evaluate FSA\xe2\x80\x99s implementation of enterprise risk\nmanagement. The ERMG has not fully addressed any of the COSO Framework\xe2\x80\x99s eight\ncomponents. The COSO Framework states that determining whether an enterprise risk\nmanagement program is \xe2\x80\x9ceffective\xe2\x80\x9d is a judgment resulting from an assessment of whether the\neight components are present and functioning effectively. While it has developed plans and\nbegun business unit activities related to three components (Objective Setting, Event\nIdentification, and Risk Assessment), the plans for fully addressing the remaining five\ncomponents at FSA (Internal Environment, Risk Response, Control Activities, Information and\nCommunication, and Monitoring) have received limited attention. As a result, FSA has not\nimplemented enterprise risk management. This report will present information on FSA\xe2\x80\x99s\nprogress toward implementation as of December 2008.\n\nThe Chief Risk Officer began working at FSA in June 2004. FSA\xe2\x80\x99s former Chief Operating\nOfficer formally approved the ERMG in May 2006, nearly two years later. Prior to formal\napproval, the ERMG began conducting activities associated with Phase I of its program. After\nreceiving formal approval, the ERMG officially started its enterprise risk management program\nand began strategic planning. The Chief Risk Officer and the Risk Analysis Team Leader\ninformed us that FSA management also assigned them multiple high priority special projects,\nsuch as a regional workforce effectiveness study, conducted for approximately seven months,\nwhich limited the amount of time available to implement enterprise risk management. The\nERMG completed Phase I of its program on December 30, 2006, and has nearly completed all\nactivities associated with Phase II.\n\nThe ERMG began work in FSA\xe2\x80\x99s business units in May 2007. As of December 2008, the\nERMG has completed risk identification, aggregate risk assessment, and inventory activities for\n3 of 26 business units. As part of these initial business unit activities the ERMG also aligned\n\n\n                                             3\n\x0ceach business unit\xe2\x80\x99s goals and objectives with FSA\xe2\x80\x99s strategic objectives. These three business\nunits are:\n    \xe2\x80\xa2 Communications, Reporting, and Analysis;\n    \xe2\x80\xa2 Facilities, Security, and Emergency Management Services; and\n    \xe2\x80\xa2 Workforce Development Services.\n\nThe ERMG has nearly completed risk identification in two other business units:\n   \xe2\x80\xa2 Conferences and Administration Services; and\n   \xe2\x80\xa2 Human Resources and Workforce Services.\n\nThe ERMG has initiated work in three more business units:\n   \xe2\x80\xa2 Strategic Planning;\n   \xe2\x80\xa2 Financial Management; and\n   \xe2\x80\xa2 Budget.\n\nNone of FSA\xe2\x80\x99s business units directly responsible for administering the federal student aid\nprograms have been examined or included in ERMG\xe2\x80\x99s business unit activities to date. The Chief\nRisk Officer anticipates that the ERMG will have risks documented in all 26 business units by\nthe end of calendar year 2009, and has hired a contractor to help accomplish this task within this\ntimeframe. In addition, as a training tool for new risk analysts, the ERMG is planning a review\nof the Enterprise Risk Management business unit.\n\nAfter risk identification, aggregate risk assessment, and inventory activities have been completed\nfor all business units, the ERMG plans to return to each business unit to identify the risk\nresponses and assess the amount of residual risk given the control activities in place. According\nto the ERMG\xe2\x80\x99s project plan, the end date for these activities is September 30, 2010. The ERMG\ndoes not have a formal methodology in place for identifying risk responses and assessing the\namount of residual risk.\n\nThe business unit risk activities thus far have concentrated on Event Identification and Risk\nAssessment at the aggregate level. The ERMG has also given attention to the Objective Setting\ncomponent at the FSA-wide level and as part of each business unit review. The Chief Risk\nOfficer said that the Risk Assessment component is more straightforward than the Internal\nEnvironment and Objective Setting components of the COSO Framework. The ERMG has not\nfocused on the Internal Environment component, including defining FSA\xe2\x80\x99s risk appetite and risk\nphilosophy, nor has it begun to conduct activities specifically related to the Risk Response,\nControl Activities, Information and Communication, and Monitoring components.\n\nThe ERMG\xe2\x80\x99s limited attention to the Internal Environment component is noteworthy given the\nimportance placed on it throughout the COSO Framework and in the ERMG\xe2\x80\x99s own definition.\nThe COSO Framework states that the Internal Environment \xe2\x80\x9csets the basis for how risk and\ncontrol are viewed and addressed by an entity\xe2\x80\x99s people.\xe2\x80\x9d The ERMG\xe2\x80\x99s definition of the Internal\nEnvironment, based on the COSO Framework\xe2\x80\x99s description of that component, states that the\nInternal Environment is \xe2\x80\x9cthe tone of an organization, influencing the risk consciousness of its\npeople, and is the basis for all other components of risk management.\xe2\x80\x9d According to the\nERMG\xe2\x80\x99s definition, Internal Environment elements include an entity's risk management\nphilosophy; its risk appetite; the integrity, ethical values, and competence of the entity's people;\nand the way management assigns authority and responsibility. The COSO Framework states that\n\n\n                                               4\n\x0cthe \xe2\x80\x9ceffectiveness of enterprise risk management cannot rise above the integrity and ethical\nvalues of the people who create, administer, and monitor entity activities.\xe2\x80\x9d\n\nWhile both the COSO Framework and the ERMG, as expressed in its definition, agree that the\nInternal Environment serves as a basis for all other components of enterprise risk management,\nthe ERMG\xe2\x80\x99s work has not addressed the specific elements of the Internal Environment. The\nERMG has not ensured that FSA has a defined risk management philosophy or risk appetite.\nAdditionally, the ERMG has not given attention to existing information on FSA\xe2\x80\x99s Internal\nEnvironment such as FSA-wide surveys indicating that there are perceptions on the part of FSA\nstaff concerning a lack of integrity, ethical values and commitment to competence from FSA\nleadership or Office of Inspector General audits that have also found issues with FSA\xe2\x80\x99s Internal\nEnvironment. The COSO Framework emphasizes that the negative impact of an ineffectual\nInternal Environment can be far-reaching.\n\n\n\n                                     FSA COMMENTS\n\n\nOn March 17, 2009, we provided FSA with a copy of our draft management information report\nfor comment. We received FSA\xe2\x80\x99s comments to the report on April 14, 2009. FSA did not take\nissue with any of the factual information presented in the report, but did have comments on the\nway in which the information was presented. We have summarized FSA\xe2\x80\x99s concerns and\nprovided our responses below. FSA\xe2\x80\x99s response, in its entirety, is attached.\n\nFSA Comment\nFSA stated that we did not elaborate on what is meant by the statement in the report that \xe2\x80\x9cERMG\nhas not fully addressed any of the COSO Framework\xe2\x80\x99s eight components,\xe2\x80\x9d and that this implies\nthat the ERMG\xe2\x80\x99s efforts relating to the eight components of COSO are in some way deficient.\nFSA also stated that OIG\xe2\x80\x99s assertion that FSA has \xe2\x80\x9cnot implemented enterprise risk\nmanagement\xe2\x80\x9d is somewhat misleading because it states the obvious and could undermine the\nERMG\xe2\x80\x99s efforts because many of the benefits associated with enterprise risk management can be\nand are realized prior to the \xe2\x80\x9cfull implementation.\xe2\x80\x9d\n\nOIG Response\nThe statement that the \xe2\x80\x9cERMG has not fully addressed any of the COSO Framework\xe2\x80\x99s eight\ncomponents\xe2\x80\x9d is a conclusion based on a review of the ERMG\xe2\x80\x99s activities thus far. The Review\nResults section of the report fully explains the status of each of the eight components. For\nexample, on page 3 we explained that the ERMG has developed plans and begun activities\nrelated to three components and that the plans for fully addressing the remaining five\ncomponents have received limited attention. On page 4 we noted that none of FSA\xe2\x80\x99s business\nunits directly responsible for administering the federal student aid programs have been examined\nor included in ERMG\xe2\x80\x99s business unit activities to date. The statement that FSA has \xe2\x80\x9cnot\nimplemented enterprise risk management\xe2\x80\x9d is also a conclusion in answer to our objective and is\nsupported by all of the facts presented in our report. This conclusion is necessary for a full\nunderstanding of the current state of enterprise risk management at FSA. To the extent that FSA\nmanagement recognizes value in the efforts of the ERMG, the facts presented in our report\nshould not undermine the work of the ERMG. We note that in its response, FSA did not provide\n\n\n\n                                              5\n\x0cany specific benefits that have been realized as a result of its enterprise risk management\nimplementation efforts.\n\nFSA Comment\nFSA stated that while the business unit activities referred to in the report represent a significant\npart of FSA\xe2\x80\x99s enterprise risk management program, the ERMG conducted other activities\nbetween May 2007 and December 2008. FSA provided a list of activities the ERMG had\nconducted during this time. FSA stated that OIG\xe2\x80\x99s failure to recognize these activities in the\n\xe2\x80\x98Review Results\xe2\x80\x99 section of the report could present an unbalanced view of the status of FSA\xe2\x80\x99s\nenterprise risk management program and associated implementation efforts.\n\nOIG Response\nOIG did not recognize all of the ERMG\xe2\x80\x99s activities in the Review Results section. In the\nBackground section of our report, we noted that Phase I of FSA\xe2\x80\x99s enterprise risk management\nprogram included \xe2\x80\x9cobtaining contractor services,\xe2\x80\x9d and \xe2\x80\x9ccommunicating enterprise risk\nmanagement information to FSA executives\xe2\x80\x9d and Phase II included \xe2\x80\x9cconducting a high-level risk\nassessment\xe2\x80\x9d and \xe2\x80\x9cdeveloping a risk tracking system.\xe2\x80\x9d In the Review Results section of our\nreport, we stated that the ERMG had completed Phase I of its program and had nearly completed\nall activities associated with Phase II.\n\nThe report did not discuss the development of tools, resources, policies, procedures, and process\ndocuments to guide and support the program because they are typical activities when starting\nnew programs and are not unique to the implementation of enterprise risk management at FSA.\nThe report is not designed to be a catalog of all the activities conducted by the ERMG since its\ninception, but rather to explain the current state of enterprise risk management at FSA.\n\nFSA Comment\nFSA stated that it disagrees with the characterization that it has devoted limited attention to the\nInternal Environment component and stated that it has performed or is in the process of\nperforming significant efforts relating to FSA\xe2\x80\x99s internal environment. The specific example that\nFSA provided was the high-level risk assessment performed under a purchase agreement with\nGrant Thornton LLP which, according to FSA, provided a high-level baseline review and\ndocumentation of FSA\xe2\x80\x99s internal environment.\n\nOIG Response\nWe reviewed Grant Thornton\xe2\x80\x99s high-level risk assessment and the associated purchase order\nduring the course of our fieldwork. We found that a review of FSA\xe2\x80\x99s internal environment was\nnot the primary purpose of the work as it was not mentioned in the task order and was not\nincluded in the initial draft report provided to FSA. In fact, the Risk Analysis Team Leader, who\nalso served as the Contracting Officer\xe2\x80\x99s Representative for the purchase order, told us during our\nfieldwork that the internal environment section was not very involved. When discussing the\nassessment, the Chief Risk Officer said that he wanted the contractor to do a quick review of the\ninternal environment so the ERMG could check off that it had been completed.\n\nThe listing of documents reviewed by Grant Thornton, found in Appendix B of its final report,\ndoes not contain OIG reports or FSA-wide employee surveys. At the time of Grant Thornton\xe2\x80\x99s\nwork, OIG had completed audits that identified significant internal control weaknesses at FSA.\nAdditionally, there were employee survey results suggesting a concern among FSA staff about a\n\n\n                                                6\n\x0clack of integrity, ethical values and commitment to competence from FSA leadership. Because\nthe high-level risk assessment is the only area in which the ERMG claims to have addressed\nInternal Environment on an enterprise-wide level and based on the weaknesses related to the\nreport noted above, we concluded that the ERMG has given limited attention to the Internal\nEnvironment component.\n\nFSA Comment\nFSA stated that it believes the ERMG efforts related to the Internal Environment component are\nsubstantial; however, it stated that it did not intend to audit or opine on the strength or\neffectiveness of this component. FSA further stated that to do so would be premature and offer\nlittle or no added value.\n\nOIG Response\nWe stand by our conclusion that the ERMG\xe2\x80\x99s efforts related to the Internal Environment\ncomponent are limited. The ERMG defines the Internal Environment component as \xe2\x80\x9cthe tone of\nan organization, influencing the risk consciousness of its people, and is the basis for all other\ncomponents of risk management.\xe2\x80\x9d [Emphasis added.] According to the ERMG definition,\nInternal Environment elements include an entity\xe2\x80\x99s risk management philosophy; its risk appetite;\nthe integrity, ethical values, and competence of the entity\xe2\x80\x99s people; and the way management\nassigns authority and responsibility. As we stated in our report, \xe2\x80\x9c[t]he ERMG has not ensured\nthat FSA has a defined risk management philosophy or risk appetite. Additionally, the ERMG\nhas not given attention to existing information on FSA\xe2\x80\x99s Internal Environment such as FSA-wide\nsurveys indicating that there are perceptions on the part of FSA staff concerning a lack of\nintegrity, ethical values and commitment to competence from FSA leadership\xe2\x80\xa6.\xe2\x80\x9d The COSO\nFramework states that the \xe2\x80\x9ceffectiveness of enterprise risk management cannot rise above the\nintegrity and ethical values of the people who create, administer, and monitor entity activities.\xe2\x80\x9d\n\nThe ERMG\xe2\x80\x99s efforts related to the Internal Environment component are not substantial due to the\nfact that the ERMG has not addressed the specific elements of the component. The fact that FSA\nbelieves that determining the strength or effectiveness of this component would be premature\nand offer little or no added value is contradictory to the importance placed on it in the COSO\nFramework and by the ERMG\xe2\x80\x99s own definition.\n\n\n\n                  OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nThe objective of our inspection was to evaluate FSA\xe2\x80\x99s implementation of Enterprise Risk\nManagement.\n\nWe began our fieldwork on July 17, 2008 and conducted an exit conference on February 10,\n2009.\n\nThe scope of our review included the ERMG\xe2\x80\x99s implementation activities at FSA from the hiring\nof the Chief Risk Officer in June 2004 to December 2008.\n\n\n\n\n                                              7\n\x0cWe reviewed COSO\xe2\x80\x99s Enterprise Risk Management \xe2\x80\x93 Integrated Framework. To evaluate\nFSA\xe2\x80\x99s implementation of enterprise risk management, we reviewed the ERMG\xe2\x80\x99s Strategic Plan,\nProject Plan, methodology for conducting business unit risk activities, risk categories, risk\nratings, risk heat map, risk terminology, and listing of special projects. We also reviewed seven\nof the ERMG\xe2\x80\x99s PowerPoint presentations and documents related to Business Unit Risk Activities\nin five business units, including summary reports for three of those business units. We reviewed\ndocuments associated with both of the ERMG\xe2\x80\x99s purchase agreements for enterprise risk\nmanagement support services, ED-06-AG-0039 with Grant Thornton and ED-08-AG-0003 with\nADI Consulting, including the High-Level Risk Assessment created by Grant Thornton under\nTask Order 1 of their purchase agreement. We also interviewed FSA staff in the ERMG.\n\nOur inspection was performed in accordance with the 2005 President\xe2\x80\x99s Council on Integrity and\nEfficiency Quality Standards for Inspections appropriate to the scope of the inspection described\nabove.\n\n\n\n                            ADMINISTRATIVE MATTERS\n\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7552), reports issued by the Office\nof Inspector General are available to members of the press and general public to the extent\ninformation contained therein is not subject to exemptions in the Act.\n\nElectronic cc: Linda Hall, Acting General Manager, Enterprise Performance Management\n               Services\n               Stan Dore, Chief Risk Officer\n               Marge White, Director, Internal Review Division\n               Cynthia Vitters, Team Leader, Risk Analysis Team\n\n\n\n\n                                              8\n\x0c                                                                             April 10, 2009\n\nMr. W. Christian Vierling\nDirector, Evaluation and Inspection Services\nU.S. Department of Education\nOffice of Inspector General\n550 12th Street, S.W., Room 8153\nWashington, DC 20024\n\nDear Mr. Vierling:\n\nThank you for providing us with an opportunity to respond to the Office of Inspector\nGeneral\xe2\x80\x99s (OIG) draft management information report entitled, \xe2\x80\x9cReview of Federal\nStudent Aid\xe2\x80\x99s Enterprise Risk Management Program\xe2\x80\x9d (Control Number ED-\nOIG/I13I0005). While we understand that since this report did not contain any\nrecommendations for corrective action, no response is required, we appreciate the\nopportunity to address some of the information, comments and assertions contained\ntherein.\n\nAs noted in the background section of this management information report (MIR),\nFederal Student Aid\xe2\x80\x99s Enterprise Risk Management Group (ERMG) was created in May\n2006 to provide a more strategic view of risks at Federal Student Aid (FSA) and better\nenable senior management to identify, assess, manage and monitor those risks. In\nsupport of those objectives, ERMG\xe2\x80\x99s Risk Analysis & Reporting Division is leading the\neffort to implement an Enterprise Risk Management (ERM) Program at FSA. This effort,\nwhich is among the first of its kind in the federal government, represents a forward-\nlooking and proactive approach to evaluating and managing risk, especially at the\nenterprise or strategic level.\n\nSince much of the focus of this inspection was centered on evaluating FSA\xe2\x80\x99s\nimplementation of its ERM program against its adherence to the Committee of\nSponsoring Organizations of the Treadway Commission (COSO) Framework, we feel\ncompelled to respond to some assertions contained in the OIG Inspection report that we\ndo not believe to fairly characterize the results of our effort to date. One such example of\nthis is the statement that \xe2\x80\x9cERMG has not fully addressed any of the COSO Framework\xe2\x80\x99s\neight components.\xe2\x80\x9d The report does not elaborate on what is meant by \xe2\x80\x9cfully addressing\xe2\x80\x9d\nthe components, yet implies that ERMG\xe2\x80\x99s efforts relating to the eight components of\nCOSO are in some way deficient.\n\n\n\n\n                                               9\n\x0cPage 2 - Mr. W. Christian Vierling\n\n\nFSA has chosen to adopt a framework, which is based on the ERM Integrated Framework\nissued in 2004 by COSO. Since the COSO Framework was developed primarily with\npublic stockholder-owned corporations in mind, Federal Student Aid has spent\nconsiderable time evaluating and considering how to utilize various aspects of this\nFramework to be most applicable and beneficial to a federal entity.\n\nFederal Student Aid has made the decision to address all eight components in its ERM\nProgram, Strategy, and/or Project Plan documents, which were provided to the OIG\ninspectors at the beginning of their fieldwork. At no point during the inspection did\nERMG represent that all activities related to these components were complete and some\nare not yet even in process. However, we are not applying the COSO Framework in the\nexact manner or order described in the COSO guidance. The guidance in COSO all but\nmandates this approach. Specifically, COSO states: \xe2\x80\x9cNo two entities will, or should,\napply enterprise risk management in the same way. Companies and their enterprise risk\nmanagement capabilities and needs differ dramatically by industry and size, and by\nmanagement philosophy and culture. Thus, while all entities should have each of the\ncomponents in place and operating effectively, one company\xe2\x80\x99s application of enterprise\nrisk management \xe2\x80\x93 including the tools and techniques employed and the assignments of\nroles and responsibilities \xe2\x80\x93 often will look very different from another\xe2\x80\x99s.\xe2\x80\x9d\n\nThe implementation and execution of an effective ERM program is a multi-year effort\nthat requires time, commitment, support and resources. Therefore, we believe that the\nOIG\xe2\x80\x99s assertion that FSA has \xe2\x80\x9cnot implemented enterprise risk management\xe2\x80\x9d is\nsomewhat misleading. Our concern is that since it merely states the obvious, it tends to\nundermine ERMG\xe2\x80\x99s efforts as this is not a realistic expectation or goal at this point in\ntime. In fact, only a very small percentage of publicly traded companies have fully\nimplemented ERM programs, despite having a significant head start over their\ngovernment counterparts. Most ERM programs, like FSA\xe2\x80\x99s, are works-in-progress.\nDespite this, many of the benefits associated with ERM can be and are realized prior to\nthe \xe2\x80\x9cfull implementation\xe2\x80\x9d of ERM.\n\nFSA\xe2\x80\x99s ERM Program competes with other ERMG efforts including special projects, risk\nassessments and internal reviews. It was developed internally with extensive planning,\nanalysis and research, which was a necessity as there is no governmental guidance\ndirectly related to ERM, or other federal ERM programs to model after. The ERM\nProgram consists of various additional efforts beyond the business unit risk activities\nreferred to in the OIG\xe2\x80\x99s report. While the business unit risk activities represent a\nsignificant part of FSA\xe2\x80\x99s ERM Program, numerous other activities were underway during\nthe May 2007 through December 2008 time period referenced by this report. These\nactivities include:\n\n\n\n\n                                             10\n\x0cPage 3 - Mr. W. Christian Vierling\n\n\n\xe2\x80\xa2    Conduct a high-level risk assessment to identify and assess FSA\xe2\x80\x99s strategic risks;\n\n\xe2\x80\xa2    Development and finalization of various risk resources and tools to guide and\n     support the ERM Program;\n\n\xe2\x80\xa2    Development and implementation of an advanced risk tracking database;\n\n\xe2\x80\xa2    Training and presentations provided to internal business units, senior management\n     and entities outside of Federal Student Aid;\n\n\xe2\x80\xa2    Conduct various activities required to acquire contractor support for the ERM\n     effort; and\n\n\xe2\x80\xa2    Completion of various policies, procedures and/or process documents in support of\n     FSA\xe2\x80\x99s ERM Program.\n\nWe believe that failure to recognize these activities in the \xe2\x80\x98Review Results\xe2\x80\x99 section of this\nreport can present an unbalanced view of the status of FSA\xe2\x80\x99s ERM Program and\nassociated implementation efforts.\n\nConsiderable attention in this report also focuses on what OIG characterizes as \xe2\x80\x9cERMG\xe2\x80\x99s\nlimited attention to the Internal Environment component\xe2\x80\x9d of the COSO ERM\nFramework. We respectfully disagree with this characterization and maintain that\nsignificant efforts relating to FSA\xe2\x80\x99s Internal Environment have been performed or are in\nprocess. Prior to beginning the detailed risk activities currently underway, ERMG\nengaged an independent contractor, Grant Thornton, LLP (GT), to perform a high-level\nrisk assessment at FSA. As part of that effort, GT also performed a high-level baseline\nreview and documentation of FSA\xe2\x80\x99s Internal Environment as defined by the COSO ERM\nFramework. The results of that review were contained in the high-level risk report\npresented to executive management. At the same time, efforts to document and evaluate\nthe Internal Environment at FSA continue as part of other activities associated with the\nimplementation of FSA\xe2\x80\x99s ERM Program.\n\nWe believe that the combined ERMG efforts discussed above and relating to the COSO\nInternal Environment component are substantial. Nonetheless, we appear to have\nfundamental differences with the OIG about the timing of activities associated with\nincorporating this component into FSA\xe2\x80\x99s framework. Although the baseline review and\ndocumentation of the Internal Environment were performed as planned, we did not intend\nas part of that effort to audit or opine on the strength or effectiveness of this COSO\ncomponent. To do so, in our opinion, would be premature and offer little or no added\nvalue.\n\n\n\n\n                                               11\n\x0cPage 4 - Mr. W. Christian Vierling\n\n\nWhile efforts to implement an ERM Program at FSA are not free from challenges or\nmistakes, they do offer a unique opportunity to enhance the organization\xe2\x80\x99s risk\nmanagement practices, understanding and culture. Our process of implementing an ERM\nProgram is one of continuous enhancement, refinement and adoption of best practices.\nAs such, we appreciate the chance to share our efforts and progress with the OIG\xe2\x80\x99s\ninspection team and hope to further improve FSA\xe2\x80\x99s ERM Program based on the feedback\nprovided.\n\n                                          Sincerely,\n\n                                          /s/\n\n                                          James F. Manning\n                                          Acting Chief Operating Officer\n\n\n\n\n                                          12\n\x0c"